spiffe · rturner3 · Dec 14, 2024 · Dec 16, 2024 · Dec 16, 2024 · jer8me
@@ -17,7 +17,6 @@ import (
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/cmd/spire-server/util"
-	"github.com/zeebo/errs"
 )
 
 const (
@@ -78,7 +77,7 @@ func printBundle(out io.Writer, bundle *types.Bundle) error {
 
 	docBytes, err := b.Marshal()
 	if err != nil {
-		return errs.Wrap(err)
+		return err
 	}
 
 	var o bytes.Buffer
@@ -87,7 +86,7 @@ func printBundle(out io.Writer, bundle *types.Bundle) error {
 	}
 
 	if _, err := fmt.Fprintln(out, o.String()); err != nil {
-		return errs.Wrap(err)
+		return err
 	}
 
 	return nil

@@ -77,7 +77,6 @@ require (
 	github.com/stretchr/testify v1.10.0
 	github.com/uber-go/tally/v4 v4.1.16
 	github.com/valyala/fastjson v1.6.4
-	github.com/zeebo/errs v1.4.0
 	golang.org/x/crypto v0.31.0
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
 	golang.org/x/net v0.32.0
@@ -281,6 +280,7 @@ require (
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	github.com/zeebo/errs v1.4.0 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/detectors/gcp v1.29.0 // indirect

@@ -28,7 +28,6 @@ import (
 	"github.com/spiffe/spire/pkg/common/tlspolicy"
 	"github.com/spiffe/spire/pkg/common/util"
 	"github.com/spiffe/spire/pkg/common/x509util"
-	"github.com/zeebo/errs"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 )
@@ -101,7 +100,7 @@ func (a *attestor) Attest(ctx context.Context) (res *AttestationResult, err erro
 		// This is a bizarre case where we have an SVID but were unable to
 		// load a bundle from the cache which suggests some tampering with the
 		// cache on disk.
-		return nil, errs.New("SVID loaded but no bundle in cache")
+		return nil, errors.New("SVID loaded but no bundle in cache")
 	default:
 		log.WithField(telemetry.SPIFFEID, svid[0].URIs[0].String()).Info("SVID loaded")
 	}
@@ -265,7 +264,7 @@ func (a *attestor) serverConn(ctx context.Context, bundle *spiffebundle.Bundle)
 	if !a.c.InsecureBootstrap {
 		// We shouldn't get here since loadBundle() should fail if the bundle
 		// is empty, but just in case...
-		return nil, errs.New("no bundle and not doing insecure bootstrap")
+		return nil, errors.New("no bundle and not doing insecure bootstrap")
 	}
 
 	// Insecure bootstrapping. Do not verify the server chain but rather do a
@@ -279,7 +278,7 @@ func (a *attestor) serverConn(ctx context.Context, bundle *spiffebundle.Bundle)
 			if len(rawCerts) == 0 {
 				// This is not really possible without a catastrophic bug
 				// creeping into the TLS stack.
-				return errs.New("server chain is unexpectedly empty")
+				return errors.New("server chain is unexpectedly empty")
 			}
 
 			expectedServerID, err := idutil.ServerID(a.c.TrustDomain)
@@ -292,7 +291,7 @@ func (a *attestor) serverConn(ctx context.Context, bundle *spiffebundle.Bundle)
 				return err
 			}
 			if len(serverCert.URIs) != 1 || serverCert.URIs[0].String() != expectedServerID.String() {
-				return errs.New("expected server SPIFFE ID %q; got %q", expectedServerID, serverCert.URIs)
+				return fmt.Errorf("expected server SPIFFE ID %q; got %q", expectedServerID, serverCert.URIs)
 			}
 			return nil
 		},

@@ -22,7 +22,6 @@ import (
 	"github.com/spiffe/spire/pkg/common/pemutil"
 	"github.com/spiffe/spire/pkg/common/telemetry"
 	"github.com/spiffe/spire/proto/spire/common"
-	"github.com/zeebo/errs"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/anypb"
@@ -99,7 +98,7 @@ func (h *Handler) StreamSecrets(stream secret_v3.SecretDiscoveryService_StreamSe
 	}()
 
 	var versionCounter int64
-	var versionInfo = strconv.FormatInt(versionCounter, 10)
+	versionInfo := strconv.FormatInt(versionCounter, 10)
 	var lastNonce string
 	var lastNode *core_v3.Node
 	var upd *cache.WorkloadUpdate
@@ -150,7 +149,7 @@ func (h *Handler) StreamSecrets(stream secret_v3.SecretDiscoveryService_StreamSe
 
 			// We need to send updates if the requested resource list has changed
 			// either explicitly, or implicitly because this is the first request.
-			var sendUpdates = lastReq == nil || subListChanged(lastReq.ResourceNames, newReq.ResourceNames)
+			sendUpdates := lastReq == nil || subListChanged(lastReq.ResourceNames, newReq.ResourceNames)
 
 			// save request so that all future workload updates lead to SDS updates for the last request
 			lastReq = newReq
@@ -206,7 +205,7 @@ func subListChanged(oldSubs []string, newSubs []string) (b bool) {
 	if len(oldSubs) != len(newSubs) {
 		return true
 	}
-	var subMap = make(map[string]bool)
+	subMap := make(map[string]bool)
 	for _, sub := range oldSubs {
 		subMap[sub] = true
 	}
@@ -582,7 +581,7 @@ func nextNonce() (string, error) {
 	b := make([]byte, 4)
 	_, err := rand.Read(b)
 	if err != nil {
-		return "", errs.Wrap(err)
+		return "", err
 	}
 	return hex.EncodeToString(b), nil
 }

@@ -22,7 +22,6 @@ import (
 	"github.com/spiffe/spire/pkg/common/telemetry"
 	"github.com/spiffe/spire/pkg/common/x509util"
 	"github.com/spiffe/spire/proto/spire/common"
-	"github.com/zeebo/errs"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/encoding/protojson"
@@ -512,12 +511,12 @@ func keyStoreFromBundles(bundles []*spiffebundle.Bundle) (jwtsvid.KeyStore, erro
 func structFromValues(values map[string]any) (*structpb.Struct, error) {
 	valuesJSON, err := json.Marshal(values)
 	if err != nil {
-		return nil, errs.Wrap(err)
+		return nil, err
 	}
 
 	s := new(structpb.Struct)
 	if err := protojson.Unmarshal(valuesJSON, s); err != nil {
-		return nil, errs.Wrap(err)
+		return nil, err
 	}
 
 	return s, nil

@@ -3,6 +3,7 @@ package k8spsat
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"os"
 	"sync"
 
@@ -12,7 +13,6 @@ import (
 	"github.com/spiffe/spire/pkg/common/catalog"
 	"github.com/spiffe/spire/pkg/common/plugin/k8s"
 	"github.com/spiffe/spire/pkg/common/pluginconf"
-	"github.com/zeebo/errs"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 )
@@ -145,10 +145,10 @@ func (p *AttestorPlugin) getConfig() (*attestorConfig, error) {
 func loadTokenFromFile(path string) (string, error) {
 	data, err := os.ReadFile(path)
 	if err != nil {
-		return "", errs.Wrap(err)
+		return "", err
 	}
 	if len(data) == 0 {
-		return "", errs.New("%q is empty", path)
+		return "", fmt.Errorf("%q is empty", path)
 	}
 	return string(data), nil
 }
@@ -14,7 +14,6 @@ import (
 	"github.com/spiffe/spire/pkg/common/catalog"
 	"github.com/spiffe/spire/pkg/common/plugin/k8s"
 	"github.com/spiffe/spire/pkg/common/pluginconf"
-	"github.com/zeebo/errs"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 )
@@ -148,10 +147,10 @@ func (p *AttestorPlugin) getConfig() (*attestorConfig, error) {
 func loadTokenFromFile(path string) (string, error) {
 	data, err := os.ReadFile(path)
 	if err != nil {
-		return "", errs.Wrap(err)
+		return "", err
 	}
 	if len(data) == 0 {
-		return "", errs.New("%q is empty", path)
+		return "", fmt.Errorf("%q is empty", path)
 	}
 	return string(data), nil
 }
@@ -8,7 +8,6 @@ import (
 
 	"github.com/spiffe/go-spiffe/v2/bundle/spiffebundle"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
-	"github.com/zeebo/errs"
 )
 
 func Decode(trustDomain spiffeid.TrustDomain, r io.Reader) (*spiffebundle.Bundle, error) {
@@ -22,7 +21,7 @@ func Decode(trustDomain spiffeid.TrustDomain, r io.Reader) (*spiffebundle.Bundle
 func Unmarshal(trustDomain spiffeid.TrustDomain, data []byte) (*spiffebundle.Bundle, error) {
 	doc := new(bundleDoc)
 	if err := json.Unmarshal(data, doc); err != nil {
-		return nil, errs.Wrap(err)
+		return nil, err
 	}
 	return unmarshal(trustDomain, doc)
 }
@@ -35,20 +34,20 @@ func unmarshal(trustDomain spiffeid.TrustDomain, doc *bundleDoc) (*spiffebundle.
 		switch key.Use {
 		case x509SVIDUse:
 			if len(key.Certificates) != 1 {
-				return nil, errs.New("expected a single certificate in x509-svid entry %d; got %d", i, len(key.Certificates))
+				return nil, fmt.Errorf("expected a single certificate in x509-svid entry %d; got %d", i, len(key.Certificates))
 			}
 			bundle.AddX509Authority(key.Certificates[0])
 		case jwtSVIDUse:
 			if key.KeyID == "" {
-				return nil, errs.New("missing key ID in jwt-svid entry %d", i)
+				return nil, fmt.Errorf("missing key ID in jwt-svid entry %d", i)
 			}
 			if err := bundle.AddJWTAuthority(key.KeyID, key.Key); err != nil {
-				return nil, errs.New("failed to add jwt-svid entry %d: %v", i, err)
+				return nil, fmt.Errorf("failed to add jwt-svid entry %d: %w", i, err)
 			}
 		case "":
-			return nil, errs.New("missing use for key entry %d", i)
+			return nil, fmt.Errorf("missing use for key entry %d", i)
 		default:
-			return nil, errs.New("unrecognized use %q for key entry %d", key.Use, i)
+			return nil, fmt.Errorf("unrecognized use %q for key entry %d", key.Use, i)
 		}
 	}
 

@@ -11,7 +11,6 @@ import (
 	"github.com/spiffe/spire-plugin-sdk/pluginsdk"
 	"github.com/spiffe/spire-plugin-sdk/private"
 	"github.com/spiffe/spire/pkg/common/log"
-	"github.com/zeebo/errs"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
 )
@@ -147,7 +146,7 @@ func startPipeServer(server *grpc.Server, log logrus.FieldLogger) (_ *pipeConn,
 	// Dial the server
 	conn, err := grpc.Dial("IGNORED", grpc.WithBlock(), grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithContextDialer(pipeNet.DialContext)) //nolint: staticcheck // It is going to be resolved on #5152
 	if err != nil {
-		return nil, errs.Wrap(err)
+		return nil, err
 	}
 	closers = append(closers, conn)
 

@@ -1,22 +1,25 @@
 package catalog
 
 import (
+	"errors"
 	"io"
 	"time"
 
-	"github.com/zeebo/errs"
 	"google.golang.org/grpc"
 )
 
 type closerGroup []io.Closer
 
 func (cs closerGroup) Close() error {
 	// Close in reverse order.
-	var errs errs.Group
+	var errs error
 	for i := len(cs) - 1; i >= 0; i-- {
-		errs.Add(cs[i].Close())
+		if err := cs[i].Close(); err != nil {
+			errs = errors.Join(errs, err)
+		}
-		if err := cs[i].Close(); err != nil {
-			errs = errors.Join(errs, err)
-		}
+		errs = errors.Join(errs, cs[i].Close())
-		if err := cs[i].Close(); err != nil {
-			errs = errors.Join(errs, err)
-		}
+		errs = errors.Join(errs, cs[i].Close())
 	}
-	return errs.Err()
+
+	return errs
 }
 
 type closerFunc func()

@@ -14,7 +14,6 @@ import (
 	"github.com/spiffe/spire-plugin-sdk/pluginsdk"
 	"github.com/spiffe/spire-plugin-sdk/private"
 	"github.com/spiffe/spire/pkg/common/log"
-	"github.com/zeebo/errs"
 	"google.golang.org/grpc"
 )
 
@@ -154,7 +153,7 @@ func (p *hcClientPlugin) GRPCClient(ctx context.Context, b *goplugin.GRPCBroker,
 	// does not work yet anyway, so it is a moot point.
 	listener, err := b.Accept(private.HostServiceProviderID)
 	if err != nil {
-		return nil, errs.Wrap(err)
+		return nil, err
 	}
 
 	server := newHostServer(p.config.Log, p.config.Name, p.config.HostServices)

@@ -7,7 +7,6 @@ import (
 	"fmt"
 
 	"github.com/go-jose/go-jose/v4"
-	"github.com/zeebo/errs"
 )
 
 func RSAPublicKeyEqual(a, b *rsa.PublicKey) bool {
@@ -58,7 +57,7 @@ func JoseAlgFromPublicKey(publicKey any) (jose.SignatureAlgorithm, error) {
 	case *rsa.PublicKey:
 		// Prevent the use of keys smaller than 2048 bits
 		if publicKey.Size() < 256 {
-			return "", errs.New("unsupported RSA key size: %d", publicKey.Size())
+			return "", fmt.Errorf("unsupported RSA key size: %d", publicKey.Size())
 		}
 		alg = jose.RS256
 	case *ecdsa.PublicKey:
@@ -69,10 +68,10 @@ func JoseAlgFromPublicKey(publicKey any) (jose.SignatureAlgorithm, error) {
 		case 384:
 			alg = jose.ES384
 		default:
-			return "", errs.New("unable to determine signature algorithm for EC public key size %d", params.BitSize)
+			return "", fmt.Errorf("unable to determine signature algorithm for EC public key size %d", params.BitSize)
 		}
 	default:
-		return "", errs.New("unable to determine signature algorithm for public key type %T", publicKey)
+		return "", fmt.Errorf("unable to determine signature algorithm for public key type %T", publicKey)
 	}
 	return alg, nil
 }
@@ -5,18 +5,17 @@ import (
 	"time"
 
 	"github.com/go-jose/go-jose/v4/jwt"
-	"github.com/zeebo/errs"
 )
 
 func GetTokenExpiry(token string) (time.Time, time.Time, error) {
 	tok, err := jwt.ParseSigned(token, AllowedSignatureAlgorithms)
 	if err != nil {
-		return time.Time{}, time.Time{}, errs.Wrap(err)
+		return time.Time{}, time.Time{}, err
 	}
 
 	claims := jwt.Claims{}
 	if err := tok.UnsafeClaimsWithoutVerification(&claims); err != nil {
-		return time.Time{}, time.Time{}, errs.Wrap(err)
+		return time.Time{}, time.Time{}, err
 	}
 	if claims.IssuedAt == nil {
 		return time.Time{}, time.Time{}, errors.New("JWT missing iat claim")